If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Both of these lines (as an example, others need attention as well) have the same problem: you're taking user-submitted data and using it without doing any validation. In almost all cases, this opens your code up to a lot of potential errors. In most cases (including this one), it also creates security holes.

In this case, your form has a field named email. You expect the user to enter their email address there, so you can reply to their message and send them a confirmation.

In the first case, you might say "no harm; it's their own fault anyway." Right? Maybe. But you've wasted everyone's time, and maybe lost an interested customer.

In the second case, you've become a spam server. You might unwittingly be helping commit XSRF or phishing attacks. Just as significantly, when ISPs look for someone to crack down on for this behavior, it's going to be you.

In both cases, the solution is simple: validate all user input. Everything from $_GET, $_POST, $_FILES, $_COOKIE, and $_REQUEST (and some of the $_SERVER vars, in fact) come from the user. You cannot trust any of it. Always make sure you are getting the information you expect.

So, $_POST['email'] is supposed to be a single email address. Check to be sure!

PHP Code:

<?php

# <http://php.net/filter_var/># this will return the value from $_POST['email'] _IF_ it is a correctly formed email address,# or FALSE if it is not. # (email addresses can't have newlines in them, so multiple emails will also fail.)$userEmail = filter_var( $_POST['email'],FILTER_VALIDATE_EMAIL );

Thank you guys so much!
Here is the current code with the validation. The only problem is when the email is sent it will take you to send.php that will say "Thank you, your email was sent successfully!" if it sent, but when failed it is a blank white page with no text. Also the error codes are not showing up it just shows a blank page. I know I can add HTML to the send() tag but when I add the <html><head><body>hello</body></head></html> but it shows the whole code not the formatted way. Is this normal?

Hey guys,
One last question, the whole form seems to be working correctly except when it fails. When it fails it just shows a blank white page and does nothing. When it passes it shows a basic HTML page then redirects to the home page. How can I set this up so when the form fails it says "We're sorry something went wrong, go click here to go back" or show the actual reason why it failed, like "please enter an email".

Thank you,
I have tried switching the code but when using echo it will always show successfully sent even if the email is left blank, if you enter "hgldsfg" it will not send the email but still says successfully sent. I understand that the exit tag is making it go to a white screen but how can I get it to show that message.

Quite right. The exit is there to stop the script from continuing after you present whatever error message to the user - maybe by adding some code there, or using header() to redirect to an error page, etc..

Some comments about @Strangeplant's suggestions:

Originally Posted by Strangeplant

PHP Code:

function validEmail($email) {# etc. ...

Do you have any reason to prefer this function over filter_var()? The latter (being an internal PHP function) is much faster, immediately available, and maintained by the PHP team. The only feature it lacks is requiring a TLD in the domain part (which is not really a flaw, since valid email addresses don't necessarily require a TLD). Logically, you need one in order to reach an email address over the internet, but you can enforce that by changing your check to something like:

Leaving the brackets off "works" for single-line statements (technically, and depending on the circumstances, if you're very careful about it), but it often leads to fragile code and debugging nightmares.

Second, while there are some circumstances where it will be necessary to manually strip slashes, it is always better (and usually easier) to turn off magic_quotes_gpc in your php.ini file instead.

Quite right. The exit is there to stop the script from continuing after you present whatever error message to the user - maybe by adding some code there, or using header() to redirect to an error page, etc..

Oops. Right. itskater, you still need some way to disable the rest of the page from executing.

You should use if statements, redirects, or something else. Or, you can keep "exit" after the echo. But in general "exit" is a bad option (because it's not usually the way you want to organize code, for reasons beyond what is relevant here).

Organize your code into if-blocks. The "echo" should go within the if-block there, and then it will only show if (condition-is-met).

You should try to read your code line by line to see what it does. If you're guessing while coding, you certainly are going to do something wrong. If you understand what each line does, then it's just a slight extension to see how it fits together. Sometimes when I was learning to do that (such as editing a complicated existing script) I would actually print it out to read it and write notes on it. (I still do that, though rarely, for really complicated code.)

Edit: to add to that, I also, when the code is complex, make a point of commenting every single line so I know what it means. You can try that too.